Terms of Service Privacy Policy Contact Us

leistware.com

IPTables

ipfilter.org


iptables formerly known as ipchains is a command line interface that controls access rules for netfilter. netfilter is a packet filtering frame work for the 2.4 and later series linux kernel. i.e. the firewall.

By default there are no rules and the policies are to ACCEPT all traffic inbound and outbound.

These terms are important to know when working with iptables:

  • Tables - a container for the chains
  • Chains - the direction of the packet
  • Targets - what is going to happen to the packet

These are important.

CREATED 2019-04-26 00:44:59.0

007-00-00-DC

UPDATED 2020-03-05 12:26:41.0

The Tables...


Tables (hence iptables):

  • filter - this is the default. If you don't specify a table it goes here.
  • mangle contains rules to mangle packet headers
  • nat rules for Network Address Translation
  • raw rules for packets regardless of state.

You can also create custom tables. In the rule the -j parameter is for jump which can be another table.

CREATED 2019-04-25 19:24:04.0

007-00-00-D8

UPDATED 2020-03-05 12:26:37.0

The Chains...


Chains operate within the tables.

CREATED 2019-04-25 19:24:23.0

007-00-00-D9

UPDATED 2020-03-05 12:26:32.0

Extentions


iptables -t filter -A INPUT -m connlimit ...

Use extensions with the -m or match argument.

This example will load the connlimit module.

CREATED 2019-04-25 19:42:37.0

007-00-00-DA

UPDATED 2020-03-05 12:26:25.0

connlimit


connlimit limits connections

From the iptables man pages:

  • --connlimit-upto n number of existing connections is below n
  • --connlimit-above n number of exiting connections
  • --conlimit-mask 0-32 the subnet mask
  • --conlimit-saddr apply the rule to the source
  • --conlimit-daddr apply the rule to the destination

CREATED 2019-04-25 19:42:54.0

007-00-00-DB

UPDATED 2020-03-05 12:26:21.0

Two NICs...


1 routeA 2 routeB allow-hotplug eth0 iface eth0 inet static    address 192.168.1.94/24    gateway 192.168.1.1    post-up ip route add 192.168.1.0/24 dev eth0 src 192.168.1.94 table routeA    post-up ip route add default via 192.168.1.1 dev eth0 table routeA    post-up ip rule add from 192.168.1.94/32 table routeA    post-up ip rule add to 192.168.1.95/32 table routeA allow-hotplug eth1 iface eth1 inet static    address 192.168.2.36/24    gateway 192.168.2.1    post-up ip route add 192.168.2.0/24 dev eth0 src 192.168.2.36 table routeB    post-up ip route add default via 192.168.2.1 dev eth0 table routeB    post-up ip rule add from 192.168.2.36/32 table routeB    post-up ip rule add to 192.168.2.36/32 table routeB

The situation. We have a multihomed machine that operates on two different networks.

  • Network A - 192.168.1.0/24
  • Network B - 192.168.2.0/24

We must do three things to address this situation:

  • Create two routing tables - done in the /etc/iproute2/rt_tables
  • Add a route to the interfaces file for each interface
  • Add a rule to the interfaces file for each nic.

First the tables file... in the /etc/iproute2/rt_tables file add two lines...


This indicates that route 1 is routeA and route 2 is routeB

Next add the routes to the /etc/network/interfaces file for the first network card (eth0) that will operate on routeA i.e. 192.168.1.0.









This tells the system to use eth0 for anything addresses to or from 192.168.1.0/24.

Next in the same file add a second stanza, routes and rules to address the second network (192.168.2.0/32).









CREATED 2020-03-05 12:25:31.0

010-00-00-92

UPDATED 2020-03-05 12:26:15.0

Knowledge

Page Server: Ithica

DBID: db.wam

©2012 Leistware Data Systems

      Hello anonymous